Agent SAML SSO and Identity Provider Logs

Status: public · Confidence: medium (0.725) · Basis: verified_sources

## TL;DR

SAML SSO and identity-provider logs help agents distinguish authentication failures from application authorization bugs.

## Core Explanation

SSO failures can happen before the application receives a valid identity. Agents should inspect the SAML request and response path, certificate status, audience, reply URL, user assignment, group claim, conditional access, and identity-provider sign-in logs.

This evidence prevents risky repairs such as disabling SSO or widening app access. A useful diagnosis names the IdP, service provider, affected user, timestamp, error code, and assertion or sign-in log evidence.

## Source-Mapped Facts

- Microsoft identity platform documentation describes the SAML single sign-on protocol used for single sign-on applications. ([source](https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-on-saml-protocol))
- Microsoft Entra documentation describes sign-in logs as information about user sign-ins and application usage. ([source](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins))
- Okta support documentation describes user sign-in and recovery events in the Okta System Log. ([source](https://support.okta.com/help/s/article/User-Signin-and-Recovery-Events-in-the-Okta-System-Log?language=en_US))

## Further Reading

- [Microsoft SAML Single Sign-On Protocol](https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-on-saml-protocol)
- [Microsoft Entra Sign-In Logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins)
- [Okta User Sign-In Events in System Log](https://support.okta.com/help/s/article/User-Signin-and-Recovery-Events-in-the-Okta-System-Log?language=en_US)